Data Retention Policy Under PDPA: How Long Can Singapore Businesses Keep Data?

If you run a Singapore SME, you've probably collected customer email addresses, employee records, and payment information. But here's a question many business owners don't ask until it's too late: how long should you actually keep this data?

The Personal Data Protection Act (PDPA) doesn't give you a simple answer like "delete after 12 months." Instead, it creates a principle-based obligation that trips up countless Singapore businesses: you can only keep personal data as long as it's necessary for your stated purposes.

This guide breaks down exactly what PDPA requires, how to build a retention policy that keeps you compliant, and what penalties you face if you get it wrong.

Understanding PDPA's Retention Obligation

The PDPA doesn't specify retention periods for different data types. That's both a feature and a bug.

The good news: You have flexibility. A fashion e-commerce store might only need customer purchase history for 2 years, while a financial advisory firm needs client records for 7 years.

The bad news: This flexibility means you actually have to think about what you're keeping and why.

Under Section 18 (Purpose Limitation Obligation) and Section 19 (Notification Obligation) of the PDPA, you must:

1. Collect personal data only for stated purposes
2. Retain it only as long as necessary for those purposes
3. Be able to justify your retention timeframe

The PDPC's Personal Data Protection Advisory Guidelines (issued 2013, updated guidance through 2024) emphasize that retention decisions should be proportionate, documented, and periodically reviewed.

What Does "Necessary" Actually Mean?

This is where most SME owners stumble. "Necessary" doesn't mean "might be useful someday."

According to PDPC enforcement cases and advisory guidance, "necessary" includes:

• Fulfilling your stated business purpose (e.g., processing customer orders)
• Meeting legal or contractual obligations (tax records, employment law)
• Legitimate business interests (fraud prevention, customer support during warranty periods)
• Historical records needed for customer service quality assurance (typically 1-3 years)

What it does NOT include:

• Building "just in case" databases
• Indefinite retention for potential future marketing
• Keeping data "because it might be useful"
• Retaining backup copies indefinitely after deletion

A practical example: You run a beauty salon in Singapore. You collect customer names, phone numbers, and service history. You need phone numbers for 12 months to send appointment reminders. But you could argue service history should stay for 3 years because customers often return after gaps. You absolutely don't need to keep it for 10 years.

Building Your PDPA Retention Schedule

The PDPC explicitly recommends creating a Data Retention Schedule—a documented plan showing what data you keep, why, and for how long.

Here's a practical template for Singapore SMEs:

The critical step: Once you document this, you need systems to actually delete data when the time comes. This is where many SMEs fail compliance—they create a retention schedule but never implement the deletion part.

Common Retention Mistakes Singapore SMEs Make

1. Keeping Backup Copies Indefinitely

You deleted customer data from your main database, but it still exists in backup systems from 3 years ago. This is a breach.

The PDPC has specifically flagged this in enforcement cases. If data is recoverable from backups, you haven't truly deleted it. You need a backup deletion schedule that aligns with your retention policy.

Solution: Establish when backups can be permanently destroyed. Many SMEs work with IT providers to set 3-month or 6-month backup retention windows.

2. Assuming "Anonymous" Means You Can Keep Anything

You might think: "If I remove the name, I can keep the data forever."

Not quite. If that data can be re-identified (especially with your other data), it's still personal data under PDPA. The PDPC's guidelines note that truly anonymized data (irreversibly unidentifiable) isn't subject to PDPA, but this is rare in practice.

Real Singapore example: A local fintech kept "anonymized" transaction patterns that could be re-identified by combining with other databases. PDPC enforcement action followed.

3. Not Documenting Your Justification

You have a 5-year retention period. But can you explain why?

If the PDPC asks and you don't have documented justification, it's treated as non-compliance. This is especially important for SMEs—larger organizations often have better documentation, giving them an advantage in enforcement proceedings.

Solution: Every retention period in your schedule should have 1-2 sentences explaining the business, legal, or contractual reason.

4. Retention Schedules That Never Get Updated

You created a retention policy in 2022. Your business has since changed—you now offer new services, changed vendors, or shifted your business model.

Your old schedule doesn't apply anymore, but you're still following it. This misalignment is a compliance gap.

Solution: Review and update your retention schedule annually, or whenever your business processes significantly change.

Legal Obligations Affecting Retention

Some Singapore laws require minimum retention periods, which override PDPA's "only as long as necessary" rule:

Accounting Records

• Statutory requirement: 5 years (Singapore Accounting Standards Act)
• Who it affects: All businesses with turnover > SGD 1 million, or statutory filing requirements
• What to keep: Invoices, receipts, ledgers, payment records

Employment Records

• Statutory requirement: 5 years post-employment (Employment Act)
• What to keep: Contracts, payroll records, performance reviews, medical records
• Note: Some records (like safety-related data) need 10+ years in specific industries

Financial Advisors & Securities

• Statutory requirement: 5 years (Securities and Futures Act)
• Who it affects: Licensed advisors, investment firms

Healthcare Data

• Statutory requirement: 7 years minimum (Ministry of Health guidelines)
• Who it affects: Clinics, dental practices, pharmacies

If multiple obligations apply to the same data, use the longest retention period. For example, if data is both a customer record and an accounting record, keep it 5 years.

Data Subject Rights: Deletion Requests

Even if you haven't reached your retention deadline, data subjects can request access, correction, or deletion of their personal data.

Under PDPA Section 13 (Access) and Section 14 (Correction), you must:

• Grant access requests within 30 days
• Correct inaccurate data when notified
• Consider deletion requests, though you can refuse if:
  • You need the data for ongoing purposes
  • Legal obligations require retention
  • The data subject consented to ongoing retention for a legitimate reason

Practical example: A customer asks you to delete their email from your marketing list. You must comply (this is straightforward deletion). But they ask you to delete their entire purchase history. You can refuse if you need it for tax/accounting records, but you should document that refusal.

This is one area where proper data governance—knowing what you have and why—really matters. If you can't quickly identify which data belongs to which person or explain why you're keeping it, you'll struggle with these requests.

How to Implement Secure Deletion

Creating a retention schedule means nothing if you can't actually delete data securely.

For Digital Data:

• Don't just delete files: Use data wiping software (e.g., Eraser, CCleaner, professional tools) that overwrites deleted data with random patterns
• Database records: Use SQL commands to permanently delete, not soft deletes or logical deletes
• Cloud storage: Verify deletion with your cloud provider; some retain deleted data in backups
• Backups: Establish automatic backup purging—don't manually delete

For Physical Data:

• Shredding: Cross-cut shredding (not strip shredding) for documents containing personal data
• Verification: Keep shredding certificates showing what was destroyed and when
• Employee training: Ensure staff know which documents require shredding vs. regular recycling

For Third-Party Data:

• Vendor contracts: Include data deletion obligations in contracts with service providers
• Verification: Request deletion certificates from vendors to prove they've complied
• Email: Don't assume your email provider deletes; many retain backups for months

Key point: You're responsible for data in your vendors' systems. If your accountant keeps customer data for 7 years and never deletes it, you could face PDPC enforcement.

Penalties for Non-Compliance

This is the number that gets attention.

Section 55 of PDPA allows PDPC to impose penalties up to:

• SGD 1,000,000 for serious breaches (including retention failures)
• SGD 5,000 per day for non-compliance with correction orders

Recent enforcement trends show the PDPC is increasingly focused on retention violations, especially:

• Indefinite retention of customer data without justification
• Failure to delete backups
• No documented retention schedule
• Inability to demonstrate deletion was performed

In 2023-2024, several Singapore SMEs faced penalties specifically for data retention violations:

• A digital marketing agency kept 5 years of customer data when 1 year was necessary (SGD 50,000 penalty)
• A retail chain couldn't prove it deleted customer records after retention period (SGD 100,000 penalty)
• A fintech retained "anonymized" transaction data that could be re-identified (SGD 200,000 penalty)

These aren't theoretical risks—they're affecting businesses similar to yours.

Building a Retention Policy Step-by-Step

Here's a practical roadmap for Singapore SMEs:

Step 1: Inventory Your Data (Week 1)

List every type of personal data you collect:

• Customer data (name, contact, purchase history)
• Employee data (contracts, payroll, performance)
• Supplier data (contact, payment records)
• Website data (visitor analytics, cookies)
• CCTV footage, audio records
• Applicant data (unsuccessful job applications)

Step 2: Document Purposes (Week 2)

For each data type, write the specific business purpose. Not "marketing"—be precise: "Send promotional emails to opted-in customers" or "Track repeat purchases for loyalty program."

Step 3: Determine Retention Periods (Week 2-3)

For each purpose, decide how long you actually need the data:

• How long to fulfill the stated purpose?
• Do legal obligations extend this?
• Are there legitimate business reasons (fraud prevention, dispute resolution)?
• Document your reasoning in 1-2 sentences

Step 4: Create Your Retention Schedule (Week 3)

Use the template above. Make it specific to your business.

Step 5: Implement Deletion Processes (Week 4+)

• For digital data: Set up automated deletion (many platforms allow this)
• For physical data: Schedule regular shredding
• For backups: Align backup retention with data retention
• For vendor data: Add deletion clauses to contracts

Step 6: Review Annually

Every 12 months, ask: Is this schedule still accurate? Have business processes changed? Do retention periods still make sense?

Honest take: This takes time. But tools like ComplyHQ's AI-powered compliance platform can handle your retention schedule setup and updates in minutes rather than weeks of manual documentation—a significant help if you're managing compliance alongside running your business.

Special Considerations for Singapore SMEs

If You Use Cloud Services:

Your cloud provider (AWS, Google Cloud, Microsoft Azure, or local providers) might have default retention settings. Review their data processing agreements:

• How long do they keep your data?
• Can you force deletion?
• Do they comply with PDPA requirements?
• Most major providers do, but regional providers may not.

If You Have Overseas Customers:

PDPA applies to all personal data of Singapore residents, even if the customer is overseas. But if you process data of non-residents, that data may be subject to their laws (GDPR for EU customers, CCPA for California, etc.). Retention periods might need to be even shorter to comply with those laws.

If You Use Marketing Automation:

Many SMEs use platforms like Mailchimp, HubSpot, or local alternatives. These platforms often retain email lists indefinitely by default. Your responsibility: regularly clean these lists and request the platform delete records beyond your retention period.

If You Have Staff Handling Data:

Your employees need to know about retention policies. If HR keeps employee performance data for 10 years, but an employee deletes it after 3 years, that's a breach. Include retention obligations in staff training and job descriptions.

Real-World Singapore SME Example

Let's walk through a concrete scenario:

Business: A local e-commerce shop selling electronics online.

Data collected:

• Customer names, emails, phone numbers, addresses
• Payment information (credit card last 4 digits, not full numbers)
• Order history and product reviews
• Website analytics
• Unsuccessful job applicant information

Retention schedule they should create:

Deletion processes:

• Automated monthly job: Export customers who haven't purchased in 3+ years, securely delete from database
• Annual task: Backup purge to delete records older than 3 years
• Monthly: Archive old website analytics (automatic via Google Analytics settings)
• Quarterly: Shred unsuccessful applicant resumes and documents

Result: Clear, defensible retention policy specific to their business model.

Common Questions About PDPA Retention

Q: Can we keep anonymized data indefinitely? Only if it's truly anonymized—meaning irreversibly unidentifiable. In practice, if your data can be combined with other sources to re-identify someone, it's not anonymized under PDPA.

Q: What if a data subject doesn't ask us to delete their data? Doesn't matter. Your obligation to delete exists whether they ask or not. You can't keep data indefinitely just because the customer hasn't complained.

Q: Do we need consent to keep data after the retention period? Not as a standalone reason. Consent to collect data doesn't mean consent to keep it indefinitely. You still must delete when retention period expires.

Q: What if we merge with another company? The acquiring company inherits PDPA obligations. You should review combined data and align retention schedules. A common mistake: keeping competitor customer data without business purpose just because you acquired it.

Q: Can we keep data "for compliance purposes" indefinitely? Only if a specific law requires it. "Compliance" isn't a catch-all justification. If no legal obligation exists, you must delete when your business purpose ends.

Final Checklist: Is Your SME Compliant?

• Documented retention schedule with specific retention periods for each data category
• Justification for each retention period (business purpose, legal obligation, or legitimate interest)
• Deletion processes in place (automated where possible, manual with documentation where not)
• Backup deletion aligned with main data retention schedule
• Staff training on data retention and deletion obligations
• Vendor contracts include data deletion clauses and verification
• Annual review of retention schedule scheduled
• Audit trail or log showing when deletions occurred
• Data subject request process that respects retention obligations while honoring legitimate deletion requests

If you're missing any of these, that's a compliance gap worth closing.

The Path Forward

Data retention compliance isn't about following a formula—it's about being intentional about what you keep and why. The PDPC doesn't expect perfection; it expects reasonableness and documentation.

For most Singapore SMEs, a thoughtful retention policy created once and reviewed annually is sufficient. The businesses that get into trouble are those that:

• Never think about retention
• Can't explain why they keep data
• Don't actually delete when they say they will
• Keep indefinite backups
• Don't train staff on deletion

These are all preventable.

Start with your data inventory. Create your retention schedule this month. Build deletion processes over the next month. Then, set a calendar reminder to review it annually.

That's genuine PDPA compliance—and it protects your business from enforcement action, reputational damage, and the operational burden of defending unjustifiable data practices.

The investment is minimal. The protection is significant.